[lijok]

We self-host Harbor as well, it’s fairly painless. Has SSO out of the box, a Terraform provider that covers everything, and for the most part just works.

The issues we’ve had so far:

- No programmatic way to retrieve your token that’s required for ‘docker login’. So we had to create a robot account per user and pop their creds into our secrets store.

- Migrating between sites by cloning the underlying S3 bucket and spinning up the new Harbor instance on top of it, does not work. Weird issues with dropping pulls.

- RBAC goes down to project, not repository level, complicating some of our SDLC controls.

- CSRF errors every time you try to do anything in the UI

- Lenient API and lack of docs means things like setting up tag immutability rules via Terraform was a bit of a PITA to figure out the right syntax

So some small issues, but definitely a great piece of software.

[delusional]

What the upgrade story like? Their official website makes it sound like a pain (stopping the software, backing up the database, changing the settings syntax, running some installer). I would expect something built for kubernetes to just do the right thing on startup (such that upgrading is simply switching out the image).

[yorwba]

I upgraded Harbor before, it was a pain. I think you're encouraged to use their official Helm chart and then it's supposed to be fairly seamless https://goharbor.io/docs/2.13.0/administration/upgrade/helm-... but if your predecessor decided against that option, separately adjusting the configuration for all the moving pieces is fairly annoying. Also, I misconfigured something and ended having to read Harbor source code because the error messages weren't very helpful. Fortunately, I had the presence of mind to first practice on a secondary installation created from a backup. It's definitely not something where you can stop production, install the update, and expect it to come back up in working order.

[vergessenmir]

Harbor has its pain points but it is infinitely easier to get up and running compared to crufty Artifactory.

One glaring omission is lack of support for proxy docker.io without the project name i.e pulling nginx:latest instead of /myproject/nginx/nginx:latest

The workaround involves URL rewrite magic in your proxy of choice

[tedivm]

The lack of OIDC support for Harbor has been the biggest annoyance for me. I'd love to be able to push from Github Actions to Harbor without needing robot users.

[mdaniel]

I was shocked to read such a thing in 2025 but either there is some nuance to your observation or your information is outdated https://goharbor.io/docs/2.13.0/administration/#:~:text=or%2...

[tedivm]

You're mixing up Human OIDC and Machine Flow OIDC. You can use OIDC to log in as a user, but you can't use OIDC to allow federated trust from something like Github Actions.

If you can find an example of OIDC with Github Actions and Harbor I'd love to see it.